Firmware attack can drop persistent malware in hidden SSD area


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location that's beyond the reach of the user and security solutions.

The attack models are for drives with flex capacity features and target a hidden area on the device called over-provisioning, which is widely used by SSD makers these days for performance optimization on NAND flash-based storage systems.

Hardware-level attacks offer ultimate persistence and stealth. Sophisticated actors have worked hard to implement such concepts against HDDs in the past, hiding malicious code in unreachable disk sectors.

Flex capacity is a feature in SSDs from Micron Technology that enables storage devices to automatically adjust the sizes of raw and user-allocated space to achieve better performance by absorbing write workload volumes.
The researchers note [PDF] that forensic activity on NAND flash memory can reveal data that has not been deleted in over six months.

In a second attack model, the OP area is used as a secret place that users cannot monitor or wipe, where a threat actor could hide malware.

Example of malware injection in the OP space

Example of malware injection in the OP space
The paper describes this attack as follows:
It is assumed that two storage devices SSD1 and SSD2 are connected to a channel in order to simplify the description. Each storage device has 50% OP area. After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%.
At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area. Since normal users maintain 100% user area on the channel, it will not be easy to detect such malicious behavior of hackers.
The obvious advantage of such an attack is that it is stealthy. Detecting malicious code in OP areas is not only time-consuming but also requires highly-specialized forensic techniques.
Last edited: